D2 4.2 LockBox Issue

HI,

We are facing attached lockbox error on in D2. Our version is 4.2. Everytime we try to import or serach or any other such activity we are getting this screen. Anyobdy if faced such error can suggest how to resolve this error?

Thanks,

Amit Singh

D2_locbox__error.docx

D2.log

Find more posts tagged with

Documentum

Comments

PanfilovAB

================================ <offtopic> ================================

In November 2013 I discovered a security vulnerability in D2's D2GetAdminTicketMethod that allows

any user to gain superuser privileges. To fix that vulnerability EMC once again invented square wheel:

they started to use cryptography (lockbox in your case) to encrypt arguments and returned values

passed through D2 methods. The funny thing is D2GetAdminTicketMethod method is still vulnerable

and any user is still able to gain superuser privileges, but D2 administrators should suffer now.

================================ </offtopic> ================================

Sorry about that

Julian_Hjortshoj

From the call stack in the included log file, it appears that the lockbox classes are not available to any of the class loaders for the D2 application. The jars in question are lb.jar and lbjni.jar. They should either be in the D2 war file, or if you have removed them from the war file in order to run D2 and D2-Config in the same application server, they should be in the common lib file for your application server.

If that doesn't prove to be the problem, I'd suggest opening an SR with EMC support to make sure that the lockbox is correctly installed on your system.

rocheb

Andrey,

Thank you for your continued efforts and focus in identifying D2 vulnerabilities. As the general manager responsible for D2, my primary goal is to ensure that we deliver high quality, secure products that enable our customers be successful and to safe guard their information. Part of the work you are doing to uncover vulnerabilities is helping us achieve our goal of delivering a robust, secure product to our customers.

In acknowledgement of the work you are doing, I’d like my engineering team to work closely with you to assess vulnerabilities as/if you find them. It is important that we safe guard our customers and their data and communicating vulnerabilities to the global community via your website, or this forum without first giving my team an opportunity to deliver a fix, puts our customers at risk. Therefore, I’d like to make sure that you have a direct line of communication to both myself and my engineering team so we can work together.

Should you find vulnerabilities in the future, I’d like to work closely with you to jointly coordinate our response to the community along with a fix for the issues. I’d also like to ensure you receive appropriate credit in this communication. There are a few guiding principles taken from the EMC Product Security Office (http://productsecurityblog.emc.com/2012/12/emcs-approach-to-vulnerability-response/) that I’d like to adhere to and help guide our next steps:

Ensuring that the vulnerability is not publicly disclosed until a remedy addressing the vulnerability is available
Communicating the remedy to customers in a way that they can take action before attackers may be able to exploit the vulnerability.

Thank you

Brian

PanfilovAB

Brain,

you can be sure, that all vulnerabilities will be publicly disclosed unless EMC change the way how they treat their customers.